I don't consider it as a bloker issue for the majority of installs but it is
one for vmbuild.
IMO, we can release it with this issue and release 1.2.1 in few week with
redback 1.2 (not tested yet brett's changes) and some other fixes, but I'm
ok for a take 4 too :-)
Emmanuel
On Wed, Sep 17, 2008 at 10:19 PM, Olivier Lamy <olamy@apache.org> wrote:
> As I understand here we depend on a redback 1.2 release to fix that ?
> When this one will be released ?
> Perso, I don't have any objections to try an other release (take 4) if
> the next rednack release which fix that is available at the end of the
> week. (Now I know exactly what to do to cut a continuum releases all
> scripts are ready ;-) ).
> I consider this issue as blocker if we want to update the continuum
> instance in vmbuild.
>
> Thoughts ?
>
> Thanks,
> --
> Olivier
>
>
> 2008/9/17 Wendy Smoak <wsmoak@gmail.com>:
> > On Mon, Sep 15, 2008 at 3:59 AM, Olivier Lamy <olamy@apache.org> wrote:
> >
> >> The last release is 9 months and no one has been done since the TLP
> graduation.
> >> I'd like to release continuum 1.2.
> >> We fixed 128 issues :
> >>
> http://jira.codehaus.org/secure/ReleaseNote.jspa?version=13779&styleName=Html&projectId=10540&Create=Create
> >>
> >> The staging repo is here :
> http://people.apache.org/~olamy/staging-repo/<http://people.apache.org/%7Eolamy/staging-repo/>
> >
> > If you're using project group permissions, there's a fairly serious
> > security issue in 1.2. Any project group admin can grant roles all
> > the way up to system administrator, to himself and others.
> > (CONTINUUM-1867)
> >
> > I'm conflicted about releasing this as-is. On one hand, if you're
> > depending on the roles to prevent access to projects, it's seriously
> > broken. On the other hand... most people I've talked to aren't using
> > this feature, and even if the roles *are* working, any developer can
> > check in a script, which runs as the Continuum user, and do pretty
> > much anything they want.
> >
> > Thoughts?
> >
> > --
> > Wendy
> >
>